0
(0)

This article is part of the Deployment guide and acts as an example onboarding method.

In the Planning topic, there were several methods provided to onboard devices to the service. This topic covers the co-management architecture.

Image of cloud-native architecture. Diagram of environment architectures

While Defender for Endpoint supports onboarding of various endpoints and tools, this article does not cover them. For information on general onboarding using other supported deployment tools and methods, see Onboarding overview.

This topic guides users in:

  • Step 1: Onboarding Windows devices to the service
  • Step 2: Configuring Defender for Endpoint capabilities

This onboarding guidance will walk you through the following basic steps that you need to take when using Microsoft Endpoint Configuration Manager:

  • Creating a collection in Microsoft Endpoint Configuration Manager
  • Configuring Microsoft Defender for Endpoint capabilities using Microsoft Endpoint Configuration Manager

 Note

Only Windows devices are covered in this example deployment.

Step 1: Onboard Windows devices using Microsoft Endpoint Configuration Manager

Collection creation

To onboard Windows devices with Microsoft Endpoint Configuration Manager, the deployment can target an existing collection or a new collection can be created for testing.

Onboarding using tools such as Group policy or manual method does not install any agent on the system.

Within the Microsoft Endpoint Configuration Manager console the onboarding process will be configured as part of the compliance settings within the console.

Any system that receives this required configuration will maintain that configuration for as long as the Configuration Manager client continues to receive this policy from the management point.

Follow the steps below to onboard endpoints using Microsoft Endpoint Configuration Manager.

  1. In Microsoft Endpoint Configuration Manager console, navigate to Assets and Compliance > Overview > Device Collections.

    Image of Microsoft Endpoint Configuration Manager wizard1.

  2. Right Click Device Collection and select Create Device Collection.

    Image of Microsoft Endpoint Configuration Manager wizard2.

  3. Provide a Name and Limiting Collection, then select Next.

    Image of Microsoft Endpoint Configuration Manager wizard3.

  4. Select Add Rule and choose Query Rule.

    Image of Microsoft Endpoint Configuration Manager wizard4.

  5. Click Next on the Direct Membership Wizard and click on Edit Query Statement.

    Image of Microsoft Endpoint Configuration Manager wizard5.

  6. Select Criteria and then choose the star icon.

    Image of Microsoft Endpoint Configuration Manager wizard6.

  7. Keep criterion type as simple value, choose where as Operating System – build number, operator as is greater than or equal to and value 14393 and click on OK.

    Image of Microsoft Endpoint Configuration Manager wizard7.

  8. Select Next and Close.

    Image of Microsoft Endpoint Configuration Manager wizard8.

  9. Select Next.

    Image of Microsoft Endpoint Configuration Manager wizard9.

After completing this task, you now have a device collection with all the Windows endpoints in the environment.

Step 2: Configure Microsoft Defender for Endpoint capabilities

This section guides you in configuring the following capabilities using Microsoft Endpoint Configuration Manager on Windows devices:

Endpoint detection and response

Windows 10 and Windows 11

From within the Microsoft 365 Defender portal it is possible to download the .onboarding policy that can be used to create the policy in System Center Configuration Manager and deploy that policy to Windows 10 and Windows 11 devices.

  1. From a Microsoft 365 Defender portal, select Settings and then Onboarding.
  2. Under Deployment method select the supported version of Microsoft Endpoint Configuration Manager.

    Image of Microsoft Defender for Endpoint onboarding wizard10.

  3. Select Download package.

    Image of Microsoft Defender for Endpoint onboarding wizard11.

  4. Save the package to an accessible location.
  5. In Microsoft Endpoint Configuration Manager, navigate to: Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies.
  6. Right-click Microsoft Defender ATP Policies and select Create Microsoft Defender ATP Policy.

    Image of Microsoft Endpoint Configuration Manager wizard12.

  7. Enter the name and description, verify Onboarding is selected, then select Next.

    Image of Microsoft Endpoint Configuration Manager wizard13.

  8. Click Browse.
  9. Navigate to the location of the downloaded file from step 4 above.
  10. Click Next.
  11. Configure the Agent with the appropriate samples (None or All file types).

    Image of configuration settings1.

  12. Select the appropriate telemetry (Normal or Expedited) then click Next.

    Image of configuration settings2.

  13. Verify the configuration, then click Next.

    Image of configuration settings3.

  14. Click Close when the Wizard completes.
  15. In the Microsoft Endpoint Configuration Manager console, right-click the Defender for Endpoint policy you just created and select Deploy.

    Image of configuration settings4.

  16. On the right panel, select the previously created collection and click OK.

    Image of configuration settings5.

Previous versions of Windows Client (Windows 7 and Windows 8.1)

Follow the steps below to identify the Defender for Endpoint Workspace ID and Workspace Key, that will be required for the onboarding of previous versions of Windows.

  1. From a Microsoft 365 Defender portal, select Settings > Endpoints > Onboarding (under Device Management).
  2. Under operating system choose Windows 7 SP1 and 8.1.
  3. Copy the Workspace ID and Workspace Key and save them. They will be used later in the process.

    Image of onboarding.

  4. Install the Microsoft Monitoring Agent (MMA).

    MMA is currently (as of January 2019) supported on the following Windows Operating Systems:

    • Server SKUs: Windows Server 2008 SP1 or Newer
    • Client SKUs: Windows 7 SP1 and later

    The MMA agent will need to be installed on Windows devices. To install the agent, some systems will need to download the Update for customer experience and diagnostic telemetry in order to collect the data with MMA. These system versions include but may not be limited to:

    • Windows 8.1
    • Windows 7
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2

    Specifically, for Windows 7 SP1, the following patches must be installed:

  5. If you’re using a proxy to connect to the Internet see the Configure proxy settings section.

Once completed, you should see onboarded endpoints in the portal within an hour.

Next generation protection

Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers.

  1. In the Microsoft Endpoint Configuration Manager console, navigate to Assets and Compliance > Overview > Endpoint Protection > Antimalware Polices and choose Create Antimalware Policy.

    Image of antimalware policy.

  2. Select Scheduled scansScan settingsDefault actionsReal-time protectionExclusion settingsAdvancedThreat overridesCloud Protection Service and Security intelligence updates and choose OK.

    Image of next generation protection pane1.

    In certain industries or some select enterprise customers might have specific needs on how Antivirus is configured.

    Quick scan versus full scan and custom scan

    For more details, see Windows Security configuration framework.

    Image of next generation protection pane2.

    Image of next generation protection pane3.

    Image of next generation protection pane4.

    Image of next generation protection pane5.

    Image of next generation protection pane6.

    Image of next generation protection pane7.

    Image of next generation protection pane8.

    Image of next generation protection pane9.

  3. Right-click on the newly created antimalware policy and select Deploy.

    Image of next generation protection pane10.

  4. Target the new antimalware policy to your Windows collection and click OK.

    Image of next generation protection pane11.

After completing this task, you now have successfully configured Windows Defender Antivirus.

Attack surface reduction

The attack surface reduction pillar of Defender for Endpoint includes the feature set that is available under Exploit Guard. Attack surface reduction (ASR) rules, Controlled Folder Access, Network Protection, and Exploit Protection.

All these features provide an audit mode and a block mode. In audit mode there is no end-user impact. All it does is collect additional telemetry and make it available in the Microsoft 365 Defender portal. The goal with a deployment is to step-by-step move security controls into block mode.

To set ASR rules in Audit mode:

  1. In the Microsoft Endpoint Configuration Manager console, navigate to Assets and Compliance > Overview > Endpoint Protection > Windows Defender Exploit Guard and choose Create Exploit Guard Policy.

    Image of Microsoft Endpoint Configuration Manager console0.

  2. Select Attack Surface Reduction.
  3. Set rules to Audit and click Next.

    Image of Microsoft Endpoint Configuration Manager console1.

  4. Confirm the new Exploit Guard policy by clicking on Next.

    Image of Microsoft Endpoint Configuration Manager console2.

  5. Once the policy is created click Close.

    Image of Microsoft Endpoint Configuration Manager console3.

  6. Right-click on the newly created policy and choose Deploy.

    Image of Microsoft Endpoint Configuration Manager console4.

  7. Target the policy to the newly created Windows collection and click OK.

    Image of Microsoft Endpoint Configuration Manager console5.

After completing this task, you now have successfully configured ASR rules in audit mode.

Below are additional steps to verify whether ASR rules are correctly applied to endpoints. (This may take few minutes)

  1. From a web browser, go to Microsoft 365 Defender.
  2. Select Configuration management from left side menu.
  3. Click Go to attack surface management in the Attack surface management panel.

    Image of attack surface management.

  4. Click Configuration tab in Attack surface reduction rules reports. It shows ASR rules configuration overview and ASR rules status on each devices.

    A screenshot of attack surface reduction rules reports1.

  5. Click each device shows configuration details of ASR rules.

    A screenshot of attack surface reduction rules reports2.

See Optimize ASR rule deployment and detections for more details.

Set Network Protection rules in Audit mode

  1. In the Microsoft Endpoint Configuration Manager console, navigate to Assets and Compliance > Overview > Endpoint Protection > Windows Defender Exploit Guard and choose Create Exploit Guard Policy.

    A screenshot System Center Configuration Manager1.

  2. Select Network protection.
  3. Set the setting to Audit and click Next.

    A screenshot System Center Configuration Manager2.

  4. Confirm the new Exploit Guard Policy by clicking Next.

    A screenshot Exploit Guard policy1.

  5. Once the policy is created click on Close.

    A screenshot Exploit Guard policy2.

  6. Right-click on the newly created policy and choose Deploy.

    A screenshot Microsoft Endpoint Configuration Manager1.

  7. Select the policy to the newly created Windows collection and choose OK.

    A screenshot Microsoft Endpoint Configuration Manager2.

After completing this task, you now have successfully configured Network Protection in audit mode.

To set Controlled Folder Access rules in Audit mode

  1. In the Microsoft Endpoint Configuration Manager console, navigate to Assets and Compliance > Overview > Endpoint Protection > Windows Defender Exploit Guard and then choose Create Exploit Guard Policy.

    A screenshot of Microsoft Endpoint Configuration Manager3.

  2. Select Controlled folder access.
  3. Set the configuration to Audit and click Next.

    A screenshot of Microsoft Endpoint Configuration Manager4.

  4. Confirm the new Exploit Guard Policy by clicking on Next.

    A screenshot of Microsoft Endpoint Configuration Manager5.

  5. Once the policy is created click on Close.

    A screenshot of Microsoft Endpoint Configuration Manager6.

  6. Right-click on the newly created policy and choose Deploy.

    A screenshot of Microsoft Endpoint Configuration Manager7.

  7. Target the policy to the newly created Windows collection and click OK.

    A screenshot of Microsoft Endpoint Configuration Manager8.

You have now successfully configured Controlled folder access in audit mode.

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.